Prerequisites for AWS
Refer to the following topics for details:
- Subscribe to GigaVUE Cloud Suite Components
- Recommended Instance Types for AWS
- AWS Security Credentials
- Amazon VPC
- Permissions
- Default Login Credentials
Subscribe to GigaVUE Cloud Suite Components
To deploy the GigaVUE Cloud Suite for AWS from the AWS Marketplace, you can subscribe to the following GigaVUE Cloud Suite components.
-
GigaVUE V Series Node
-
GigaVUE V Series Proxy
-
GigaVUE V Series Controller
-
GigaVUE‑FM BYOL.
Note: You will not be charged for subscribing to the components.
To subscribe to the GigaVUE components, perform the following steps:
- Login to your AWS account.
- Go to https://aws.amazon.com/marketplace/.
- In the Search field, type Gigamon and click Search.
- Select the latest GigaVUE Cloud Suite version link from the list for Gigamon products.
- Click Continue to Subscribe.
Recommended Instance Types for AWS
Product |
Instance Type | vCPU | RAM |
---|---|---|---|
GigaVUE‑FM |
m4.xlarge |
4 vCPU |
16 GB |
GigaVUE V Series Node |
c5n.xlarge |
4 vCPU |
10.5 GB |
GigaVUE V Series Proxy |
t2.medium |
2 vCPU |
4 GB |
UCT-V |
t2.micro |
1 vCPU |
1 GB |
UCT-V Controller |
t2.medium |
2 vCPU |
4 GB |
AWS Security Credentials
To establish the initial connection between GigaVUE-FM and AWS, you will require the security credentials for AWS. These credentials are necessary to verify your identity and determine whether you have authorization to access the resources you are requesting. AWS employs these security credentials to authenticate and authorize your requests.
You need one of the following security credentials:
- Identity and Access Management (IAM) role— If GigaVUE-FM is running within AWS, it is recommended to use an IAM role. By using an IAM role, you can securely make API requests from the instances. Create an IAM role and ensure that the permissions and policies listed in Permissions are associated to the role and also ensure that you are using Customer Managed Policies or Inline Policies.
- Access Keys—If GigaVUE-FM is configured in the enterprise data center, then you must use the access keys or basic credentials to connect to the VPC. Basic credentials allow full access to all the resources in your AWS account. An access key consists of an access key ID and a secret access key. For detailed instructions on creating access keys, refer to the AWS documentation on Managing Access Keys for Your AWS Account.
Note: To obtain the IAM role or access keys, contact your AWS administrator.
Amazon VPC
You must have a Amazon Virtual Private Cloud (VPC) to launch GigaVUE components into your virtual network.
Note: To create a VPC, refer to Create a VPC topic in the AWS Documentation.
Your VPC must have the following elements to configure the GigaVUE Cloud Suite for AWS components:
Subnet for VPC
VPC must have a subnet to configure the GigaVUE Cloud Suite for AWS components. You can either have the components deployed in a single subnet or in multiple subnets.
- Management Subnet that the GigaVUE-FM uses to communicate with the GigaVUE V Series nodes and controllers and UCT-V Controllers.
- Data Subnet that can accept incoming mirrored traffic from agents or be used to egress traffic to a tool.
If a single subnet is used, then the Management subnet is also used as a Data Subnet
Security Group
When you launch GigaVUE‑FM, GigaVUE V Series Proxies, GigaVUE V Series Nodes, and UCT-V Controllers, a security group can be utilized to define virtual firewall rules for your instance, which in turn regulates inbound and outbound traffic. You can add rules to manage inbound traffic to instances, and a distinct set of rules to control outbound traffic.
It is recommended to create a separate security group for each component using the rules and port numbers listed in the following table.
The following table lists the Network Firewall / Security Group requirements for GigaVUE Cloud Suite.
Note: When using dual stack network, the below mentioned ports must be opened for both IPv4 and IPv6.
GigaVUE‑FM |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
443 |
Administrator Subnet |
Allows GigaVUE-FM to accept Management connection using REST API. Allows users to access GigaVUE-FM UI securely through HTTPS connection. |
||||||
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access to user-initiated management and diagnostics. |
||||||
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
UCT-V Controller IP |
Allows GigaVUE-FM to receive registration requests from UCT-V Controller using REST API. |
||||||
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE V Series Node IP |
Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Node using REST API when GigaVUE V Series Proxy is not used. |
||||||
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE V Series Proxy IP |
Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Proxy using REST API. |
||||||
Inbound |
TCP |
443 |
UCT-C Controller IP |
Allows GigaVUE-FM to receive registration requests from UCT-C Controller using REST API. |
||||||
Inbound |
TCP |
5671 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to receive traffic health updates from GigaVUE V Series Nodes. |
||||||
Inbound |
TCP |
5671 |
UCT-V Controller IP |
Allows GigaVUE‑FM to receive statistics from UCT-V Controllers. |
||||||
Inbound |
TCP |
5671 |
UCT-C Controller IP |
Allows GigaVUE‑FM to receive statistics from UCT-C Controllers. |
||||||
Inbound |
UDP |
2056 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to receive Application Intelligence and Application Visualization reports from GigaVUE V Series Node. |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound |
TCP |
9900 |
GigaVUE‑FM IP |
Allows GigaVUE‑FM to communicate control and management plane traffic with UCT-V Controller. |
||||||
Outbound (optional) |
TCP |
8890 |
GigaVUE V Series Proxy IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to GigaVUE V Series Proxy. |
||||||
Outbound |
TCP |
8889 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to GigaVUE V Series Node. |
||||||
Outbound |
TCP |
8443 (default) |
UCT-C Controller IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to UCT-C Controller. |
||||||
Outbound |
TCP |
443 |
Any IP Address |
Allows GigaVUE‑FM to reach the Public Cloud Platform APIs. |
||||||
UCT-V Controller |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
9900 |
GigaVUE‑FM IP |
Allows UCT-V Controller to communicate control and management plane traffic with GigaVUE‑FM |
||||||
Inbound |
TCP |
9900 |
UCT-V or Subnet IP |
Allows UCT-V Controller to receive traffic health updates from UCT-V. |
||||||
Inbound (This port is used for Third Party Orchestration) |
TCP |
8891 |
UCT-V or Subnet IP |
Allows UCT-V Controller to receive the registration requests from UCT-V. |
||||||
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound (This port is used for Third Party Orchestration) |
TCP |
443 |
GigaVUE‑FM IP |
Allows UCT-V Controller to send the registration requests to GigaVUE-FM using REST API. |
||||||
Outbound |
TCP |
9901 |
UCT-V Controller IP |
Allows UCT-V Controller to communicate control and management plane traffic with UCT-Vs. |
||||||
Outbound |
TCP |
5671 |
GigaVUE-FM IP |
Allows UCT-V Controller to send traffic health updates to GigaVUE‑FM. |
||||||
UCT-V |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
9901 |
UCT-V Controller IP |
Allows UCT-V to receive control and management plane traffic from UCT-V Controller |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound (This port is used for Third Party Orchestration) |
TCP |
8891 |
UCT-V Controller IP |
Allows UCT-V to communicate with UCT-V Controller for registration and Heartbeat |
||||||
Outbound |
UDP (VXLAN) |
VXLAN (default 4789) |
GigaVUE V Series Node IP |
Allows UCT-V to tunnel VXLAN traffic to GigaVUE V Series Nodes |
||||||
Outbound |
IP Protocol (L2GRE) |
L2GRE (IP 47) |
GigaVUE V Series Node IP |
Allows UCT-V to tunnel L2GRE traffic to GigaVUE V Series Nodes |
||||||
Outbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
GigaVUE V Series Node IP |
Allows UCT-V to securely transfer the traffic to the GigaVUE V Series Node |
||||||
Outbound |
TCP |
9900 |
UCT-V Controller IP |
Allows UCT-V to send traffic health updates to UCT-V Controller. |
||||||
GigaVUE V Series Node |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
8889 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to communicate control and management plane traffic with GigaVUE-FM |
||||||
Inbound |
TCP |
8889 |
GigaVUE V Series Proxy IP |
Allows GigaVUE V Series Node to communicate control and management plane traffic with GigaVUE V Series Proxy. |
||||||
Inbound |
UDP (VXLAN) |
VXLAN (default 4789) |
UCT-V Subnet IP |
Allows GigaVUE V Series Nodes to receive VXLAN tunnel traffic to UCT-V |
||||||
Inbound |
IP Protocol (L2GRE) |
L2GRE |
UCT-V Subnet IP |
Allows GigaVUE V Series Nodes to receive L2GRE tunnel traffic to UCT-V |
||||||
Inbound |
UDPGRE |
4754 |
Ingress Tunnel |
Allows GigaVUE V Series Node to receive tunnel traffic from UDPGRE Tunnel |
||||||
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||
Inbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
UCT-V subnet |
Allows to securely transfer the traffic to GigaVUE V Series Nodes. |
||||||
Inbound (Optional - This port is used only for configuring AWS Gateway Load Balancer) |
UDP (GENEVE) |
6081 |
Ingress Tunnel |
Allows GigaVUE V Series Node to receive tunnel traffic from AWS Gateway Load Balancer. |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound |
TCP |
5671 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send traffic health updates to GigaVUE‑FM. |
||||||
Outbound |
UDP (VXLAN) |
VXLAN (default 4789) |
Tool IP |
Allows GigaVUE V Series Node to tunnel output to the tool. |
||||||
Outbound |
IP Protocol (L2GRE) |
L2GRE (IP 47) |
Tool IP |
Allows GigaVUE V Series Node to tunnel output to the tool. |
||||||
Outbound |
UDP |
2056 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send Application Intelligence and Application Visualization reports to GigaVUE-FM. |
||||||
Outbound |
UDP |
2055 |
Tool IP |
Allows GigaVUE V Series Node to send NetFlow traffic to an external tool. |
||||||
Outbound |
UDP |
514 |
Tool IP |
Allows GigaVUE V Series Node to send Application Metadata Intelligence log messages to external tools. |
||||||
Bidirectional (optional) |
ICMP |
|
Tool IP |
Allows GigaVUE V Series Node to send health check tunnel destination traffic. |
||||||
Outbound (This port is used for Third Party Orchestration) |
TCP |
8891 |
GigaVUE V Series Proxy IP |
Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE V Series Proxy when GigaVUE V Series Proxy is used. |
||||||
Outbound (This port is used for Third Party Orchestration) |
TCP |
443 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE-FM when GigaVUE V Series Proxy is not used. |
||||||
Outbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
Tool IP |
Allows to securely transfer the traffic to an external tool. |
||||||
GigaVUE V Series Proxy (optional) |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
8890 |
GigaVUE‑FM IP |
Allows GigaVUE‑FM to communicate control and management plane traffic with GigaVUE V Series Proxy. |
||||||
Inbound (This port is used for Third Party Orchestration) |
TCP |
8891 |
GigaVUE V Series Node IP |
Allows GigaVUE V Series Proxy to receive registration requests and heartbeat messages from GigaVUE V Series Node. |
||||||
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound |
TCP |
443 |
GigaVUE-FM IP |
Allows GigaVUE V Series Proxy to communicate the registration requests to GigaVUE-FM |
||||||
Outbound |
TCP |
8889 |
GigaVUE V Series Node IP |
Allows GigaVUE V Series Proxy to communicate control and management plane traffic with GigaVUE V Series Node |
||||||
Universal Cloud Tap - Container deployed inside Kubernetes worker node |
||||||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound |
TCP |
42042 |
Any IP address |
Allows UCT-C to send statistical information to UCT-C Controller. |
||||||
Outbound |
UDP |
VXLAN (default 4789) |
Any IP address |
Allows UCT-C to tunnel traffic to the GigaVUE V Series Node or other destination. |
||||||
UCT-C Controller deployed inside Kubernetes worker node |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
8443 (configurable) |
GigaVUE-FM IP |
Allows GigaVUE-FM to communicate with UCT-C Controller. |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound |
TCP |
5671 |
Any IP address |
Allows UCT-C Controller to send statistics to GigaVUE-FM. |
||||||
Outbound |
TCP |
443 |
GigaVUE-FM IP |
Allows UCT-C Controller to communicate with GigaVUE-FM. |
Key Pair
A key pair consists of a public key and a private key. When you define the specifications for the UCT-V Controllers, GigaVUE V Series nodes, and GigaVUE V Series Proxy in your VPC, you must create a key pair and specify the name of this key pair.
To create a key pair, refer to Create a key pair using Amazon EC2 topic in the AWS Documentation.
Permissions
If you use an account-wide policy to encrypt all volumes with KMS keys, you must add the "kms:GenerateDataKeyWithoutPlaintext" permission to the IAM policy.
For more information on permissions, see the topic Check for Required IAM Permissions.
Default Login Credentials
You can login to the GigaVUE V Series Node, GigaVUE V Series proxy, and UCT-V Controller by using the default credentials.
Product |
Login credentials |
GigaVUE V Series Node |
You can login to the GigaVUE V Series Node by using ssh. The default username and password is: Username: gigamon Password: Use the SSH key. |
GigaVUE V Series proxy |
You can login to the GigaVUE V Series proxy by using ssh. The default username and password is: Username: gigamon Password: Use the SSH key. |
UCT-V Controller |
You can login to the GigaVUE V Series proxy by using ssh. The default username and password is: Username: ubuntu Password: Use the SSH key. |